Comments (4)
darklynx
commented on September 25, 2024
1
I think that the unrestricted forwarding feature made the Request Baskets "famous" and got us to the CVE database 😅:
https://nvd.nist.gov/vuln/detail/CVE-2023-27163
And some samples of Request Baskets misuse, when running the service non-isolated from the rest of your network 😰:
https://cyb3rc4t.hashnode.dev/htb-writeupsau
from request-baskets.
eliliam
commented on September 25, 2024
Any update on this? This would be a great feature to add
from request-baskets.
darklynx
commented on September 25, 2024
PRs are welcome
from request-baskets.
darklynx
commented on September 25, 2024
we operate the application in kubernetes and want to avoid access to internal ressources via request-baskets, as it can be turned into an open proxy.
That is a very valid concern 👍
The easiest solution is an option to disable forwarding in general.
The proposed solution sounds like a reasonable amount of development with additional testing of corner cases like resolving a domain into IP and sub-network. Maybe there are already libraries in Go that solves that problem and they can be easily applied here. But I'm not aware of them, and not that familiar with such kind of libraries. Also I have a limited free time at the moment.
Hence, PRs for improvements are welcome and very much appreciated.
Thank you! 🙏
from request-baskets.
Related Issues (20)
- Humble Request: Allow basket urls to have /'s in their URLs
- getAndAuthBasket should be called getAuthenticatedBasket HOT 1
- add ability to get full raw GET parameters in the "GET" green header HOT 4
- SSL Support HOT 1
- Provide parameter to instantiate basket on startup HOT 8
- Provide ARM based image on docker hub HOT 5
- Add 'copy to clipboard' button to UI HOT 1
- Host header is missing from the Headers section HOT 1
- Running using docker run and setting a custom master token HOT 1
- Migrate to go modules HOT 1
- basket expiration HOT 1
- Restrict creation of new baskets HOT 3
- Allow hosting the webapp as non-root HOT 2
- Error installing version 1.2.0 HOT 3
- Add support for SPRIG template functions HOT 4
- Bootstrap Upgrade/Dark Mode HOT 9
- [Feature] Support create basket and configure response HOT 1
- Handling Multipart HOT 1
- [SSRF] CVE-2023-27163 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from request-baskets.